b'                   OFFICE OF INSPECTOR GENERAL\n\n\n                     REVIEW OF\n         NATIONAL ENDOWMENT FOR THE ARTS\xe2\x80\x99\n     CONTROL OVER COMPUTER-RELATED EQUIPMENT\n\n\n\n                                         Report No. R-11-02\n\n                                          January 25, 2011\n\n\n\n\n                                          REPORT RELEASE RESTRICTION\n\nIn accordance with Public Law 110-409, The Inspector General Act of 2008, this report shall be posted on the\nNational Endowment for the Arts (NEA) website not later than three (3) days after it is made publicly available\nwith the approval of the NEA Office of Inspector General. Information contained in this report may be\nconfidential. The restrictions of 18 USC 1905 should be considered before this information is released to the\npublic. Furthermore, information contained in this report should not be used for purposes other than those\nintended without prior consultation with the NEA Office of Inspector General regarding its applicability.\n\x0c                                       BACKGROUND\n\n\nDuring the FY 2010 Evaluation of the National Endowment for the Arts\xe2\x80\x99 (NEA) Compliance with\nthe Federal Information Security Management Act of 2002 (FISMA), the Office of Inspector\nGeneral (OIG) became aware of a computer security incident involving the theft of a laptop\ncomputer (\xe2\x80\x9claptop\xe2\x80\x9d) from the office of an NEA employee. While it does not appear that this\nincident resulted in any identity theft or other damage to the Agency or persons involved, we\nfelt it was critical to understand the factors and circumstances that led to the theft of the laptop\nand identify what needs to be done to strengthen controls over the Agency\xe2\x80\x99s computer-related\nequipment.\n\nOur review of the incident noted several weaknesses in the computer security incident\nreporting process and physical security of laptops. As a result, we increased the scope of the\nreview to include reported computer security incidents involving laptops during the past five\nyears.\n\n                                    OBJECTIVE/SCOPE\nThe objective of the review was to determine whether NEA was processing and reporting\ncomputer security incidents, specifically those involving laptop thefts, in accordance with its\npolicies and federal guidance such as the National Institute of Standards and Technology\xe2\x80\x99s\n(NIST) Special Publication (SP) 800-61, Computer Incident Handling Guide. A computer\nincident within the federal government, as defined by NIST SP 800-61, is a violation or\nimminent threat of violation of: computer security policies, acceptable use policies, or standard\ncomputer security practices. NIST guidance and NEA\xe2\x80\x99s Computer Security Incident Policy\nfurther describe thefts of hardware or software as computer incidents.\n\nOur scope was computer security incidents involving the theft of laptops reported from FY\n2005 to present. The review was conducted in accordance with the Council of the Inspectors\nGeneral on Integrity and Efficiency Quality Standards for Inspections and Evaluations, as\napplicable.\n\n\n                                       METHODOLOGY\n\nWe interviewed NEA staff from Information and Technology Management (ITM), Administrative\nServices Office (ASO), and other affected personnel. We held discussions with General\nService Administration staff and contractors responsible for building operations and security at\nthe Old Post Office Building (OPO). We also held discussions with officials at the Federal\nProtective Service. We obtained and reviewed NEA policies and the NIST guidelines for\nreporting computer security incidents. NEA has two internal policies that define procedures for\nreporting computer security incidents:\n\n\n                                                 2\n\x0c   1. NEA Directive Number 1355, Revision No. 2, Security of Arts Endowment Offices,\n      effective 2/14/06\n   2. NEA ITM Computer Security Incident Policy, rev. 11/15/10\n\nNEA\xe2\x80\x99s Information and Technology Management (ITM) provided us with a list of computer\nsecurity incidents, involving laptops, reported since FY 2005. In total, there were seven\nlaptops stolen and one listed as \xe2\x80\x9cissued and never returned\xe2\x80\x9d by a staff member who is no\nlonger employed at the Agency. We reviewed each incident and applicable guidelines to\ndetermine NEA\xe2\x80\x99s compliance with computer security incident reporting requirements. Details\nare presented below.\n\n\n                                 INCIDENT NOTIFICATION\nAn organization\xe2\x80\x99s ability to respond to computer-related security incidents is necessary for\nrapidly detecting incidents, minimizing loss and destruction, and mitigating weaknesses.\nTimely reporting and notification is essential to effective handling of computer security\nincidents to allow both external and internal parties to execute their responsibilities to ensure\nquick resolution.\n\nSince FY 2005, there have been eight reportable computer security incidents at the NEA.\nOf the eight incidents, two were not reported to the ITM Information System Security\nOfficer (ISSO), one was not reported to the FPS and none were reported to the OIG.\nAccording to NEA\xe2\x80\x99s ITM Computer Security Incident Policy, both \xe2\x80\x9cNEA\xe2\x80\x99s Administrative\nServices Office and the Federal Protective Service are to be notified of all computer-\nrelated thefts.\xe2\x80\x9d ITM\xe2\x80\x99s policy, however, did not include notification to the OIG. The Office\nof Management and Budget (OMB) Memorandum, M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information (PII), states, in part, that\nagencies should notify law enforcement agencies and Inspectors General of actual or\nsuspected breaches involving PII. We discussed this finding with the ITM Information\nSystem Security Officer (ISSO) and the policy was subsequently revised to include\nnotification to the OIG.\n\nDuring our discussions with ITM and the ASO staff, we found inconsistencies in the staff\xe2\x80\x99s\nunderstanding of notification and reporting responsibilities. ITM\xe2\x80\x99s Computer Security Incident\nPolicy clearly delegates the responsibility for investigating and reporting computer incidents to\nthe Computer Security Incident Team (CSIT), which, according to its policy, consists of three\nmembers from ITM; the Deputy Chief Information Officer, Network Administrator, and the\nISSO. However, we found that ITM delegates the responsibility for reporting computer-related\nincidents (e.g. FPS) to the ASO.\n\nWe recommend that ITM assumes responsibility for notification and reporting of any computer-\nrelated incidents as required by its policy.\n\n\n\n                                                 3\n\x0cWe also identified several inconsistencies in the Agency\xe2\x80\x99s written policies governing reporting\ncomputer-related incidents. For example:\n\nDirective 1355, Section V. D.8, instructs employees to report theft and vandalism of Federal or\npersonal property first to the FPS, and immediately thereafter to the ASO or ITM as relevant.\nHowever, this is in direct conflict with ITM\xe2\x80\x99s Computer Security Incident Policy which only\ninstructs employees to report the incidents to the Help Desk via e-mail (or phone if e-mail is not\navailable).\n\nWe recommend that ITM and the ASO collaborate to ensure that Agency directives and ITM\xe2\x80\x99s\nComputer Security Incident Policy are consistent and implemented. The policies should\nclearly outline the responsibility for notification of computer-related security incidents to both\nexternal and internal parties by ITM and security incidents involving non-computer-related\nequipment to the ASO. In addition, we recommend that the Agency ensures that the policies\nare communicated to employees and contractors.\n\n\n                                    INTERNAL CONTROLS\n\nAccountability for NEA Computer-Related Equipment\n\nNEA Directive 1355 Section D.12 directs employees to return all assigned Federal computer-\nrelated hardware and software to ITM upon separation from the Arts Endowment. However,\nITM records indicate that in one instance, a laptop was not returned upon separation of an\nemployee. The employee was assigned a laptop in 2003 and subsequently re-assigned it to\nanother employee, without notifying ITM. Employment Clearance Statements indicated that\nboth employees were cleared by ITM for returning all computer-related equipment, including\nlaptops. The original assignee was cleared January 2009 and the subsequent employee was\ncleared in August 2007. ITM contacted both employees in February 2009 to determine the\nlocation of the laptop. The employee who separated in 2007 indicated that the laptop was\nreturned prior to separation, however, there is no documentation to confirm that the laptop was\nreturned to the agency. An incident report was not completed and the ISSO was not notified.\nWe recommend that ASO and ITM collaborate to develop and implement policies and\nprocedures to prohibit the assignment of any computer-related equipment by employees other\nthan authorized ITM staff.\n\nNIST SP-800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, Appendix F-Media Protection, recommends as a control\nenhancement, organizations track, document and verify media sanitation and disposal actions.\nITM\xe2\x80\x99s inventory includes equipment classified as \xe2\x80\x9cretired\xe2\x80\x9d; however \xe2\x80\x9cexcessed\xe2\x80\x9d equipment is\nnot included. For example, the above laptop was identified in ITM\xe2\x80\x99s 7/16/2008 inventory as\nassigned to the original employee; however, a separate excess report identified the laptop as\nexcessed on 1/10/2008. The laptop was not identified in the 2009 inventory. In addition, the\nexcess list provided did not indicate how or to what organization the equipment was excessed.\n\n\n                                                 4\n\x0cAccording to ITM\xe2\x80\x99s Equipment Inventory Policy, when equipment is transferred between\ndepartments or moved to another location the information on the IT Equipment Inventory\nSpreadsheet must be updated to reflect the new location of the equipment. ITM or the ASO\ndid not maintain documentation identifying the recipient of the excessed computer-related\nequipment.\n\n\nWe recommend that ITM, in cooperation with the ASO, develop and implement policies and\nprocedures to ensure documentation on all computer-related equipment classified as excess is\nmaintained, including the identification of the recipient organization. We also recommend that\nITM include excess computer-related equipment in its inventory, in the year of excess, to\nimprove accountability and ensure that computer-related equipment is accurately accounted\nfor and documented.\n\nNEA employees are not required to provide written acknowledgement for receipt of computer-\nrelated equipment; therefore, there is no documentation to support receipt of equipment.\nWe recommend that ITM, in cooperation with ASO, develop and implement policies and\nprocedures to ensure that computer-related equipment issued to employees or contractors is\nadequately documented and the employee\xe2\x80\x99s signature is included to acknowledge receipt.\n\nTo further strengthen controls, we recommend that ASO and ITM work with the Office of\nHuman Resources to revise the standard employee exit form to include identification\ninformation on computer-related equipment to ensure equipment issued to employees or\ncontractors is returned to the Agency upon separation.\n\nThe agency informed us that the standard employee exit form has been revised to include\nidentification information for computer-related equipment, and is now in use.\n\nWe were informed by ITM that the return of assigned computer-related equipment is verified\nbefore clearing employees or contractors for separation. However, we recommend that ITM\ndocuments the identification number on the employee exit form to verify return of \xe2\x80\x9cassigned\xe2\x80\x9d\nequipment.\n\nPortable and mobile computer systems, such as laptops, have an increased risk of theft and\nphysical damage. Users can also "misplace" or leave laptops unattended. In seven of the\neight reported incidents, laptops were stolen from the offices of NEA where they were left\nunsecured. NEA Directive 1355, states in part, that agency personnel are responsible for\n\xe2\x80\x9creturning promptly to ASO or ITM all property and equipment lent from their inventories at the\nconclusion of the meeting or other purpose.\xe2\x80\x9d However, in one instance, seven laptops were\nauthorized for an event outside of the building. At the end of the event, the laptops were\npacked in boxes labeled \xe2\x80\x9claptops\xe2\x80\x9d to be returned to the agency. The boxes were stored over a\nweekend in an agency storeroom. According to ITM records, three laptops were stolen\nsomewhere between the facility and storage at the NEA.\n\n\n\n                                               5\n\x0cNIST 800-12, An Introduction to Computer Security: The NIST Handbook, recommends\nsecure storage of laptops when not in use. The handbook recommends encryption of data files\non stored media as a cost-effective precaution against disclosure of confidential information if\na laptop is lost or stolen. It also recommends user security briefings on the proper security of\nportable computer systems and signed briefing acknowledgments.\n\nWe recommend that ITM provide all users with physical security for laptops such as \xe2\x80\x9csecurity\ncable locks\xe2\x80\x9d and ensure that users understand and acknowledge their responsibility for the\nsecurity of Agency computer-related equipment. We also recommend that ITM install anti-theft\nsoftware on laptops.\n\nOn January 14, 2011, ITM began installing security cable locks on desktop and laptop\ncomputers.\n\nRemoval of NEA Computer-Related Equipment\n\nNEA Directive 1355, VII.B, states that \xe2\x80\x9cif the item to be removed is computer-related hardware\nor software, whether owned by the Federal government or the individual, the individual must\nobtain a special pass signed by the CIO [Chief Information Officer] or other authorized ITM\nofficial.\xe2\x80\x9d\n\nDirective 1355, Section VII.C states: \xe2\x80\x9cOn departing from the OPO with the specified property,\nthe security guard on duty will check the pass\xe2\x80\x99s signature against a list of authorizers\xe2\x80\x99\nsignatures. The guard also may ask to see the item. When the guard has determined the\nvalidity of the pass, the individual may leave with the item.\xe2\x80\x9d This policy would be impossible to\nimplement without the cooperation of employees. However, we found that employees were\nnot requesting or displaying passes for the removal of NEA computer-related equipment. This\nweakness in controls over computer-related equipment increases the risk of the Agency and its\nemployees being exposed to potential loss of Federal property and theft of PII or sensitive\ninformation.\n\nWe recommend that ASO and ITM collaborate to revise its policies and directive to improve\nsecurity requirements for removing computer-related property, such as laptops and\ncommunicate the requirements to NEA employees.\n\n\n                             DOCUMENTATION OF INCIDENTS\n\nITM was unable to provide adequate documentation detailing the events for seven of the eight\nincidents. ITM did not complete computer security incident reports and did not maintain\ndocumentation for resolution or final disposition of the incident. ITM informed us that computer\nsecurity incidents were reported to ASO by email or telephone.\n\nNIST and the US-CERT: United States Computer Emergency Readiness Team\xe2\x80\x99s incident\nreporting guidelines provide recommendations for incident documentation. For example,\n\n                                                6\n\x0cNIST SP 800.61, 3.2.5 Incident Documentation, recommends, in part:\n\n      As soon as an incident response team suspects that an incident is occurring or\n      has occurred, it is important to immediately start recording all facts regarding the\n      incident. The incident response team should maintain records about the status of\n      incidents, along with other pertinent information.\n\nITM\xe2\x80\x99s Computer Security Incident Policy also directs the CSIT to ensure that all computer\nincidents are investigated in a \xe2\x80\x9ctimely fashion.\xe2\x80\x9d However, the policy does not include time\nrequirements or guidance on \xe2\x80\x9ctimely fashion.\xe2\x80\x9d In one instance, ITM took more than two weeks\nbefore determining that there was no PII or any other sensitive information on the missing\nlaptop.\n\nDirective 1355, VIII.C further directs the affected employee to prepare a brief memorandum to\nthe ASO detailing the incident. The ASO could only provide memoranda to support two\nincidents.\n\nWe recommend that the ITM develop and implement policies and procedures to adequately\ndocument computer security incidents. ITM should develop time requirements for investigating\nand reporting computer security incidents. Written notification of computer-related incidents to\nappropriate internal and external parties should be supported by Computer Incident Reports\nand employee\xe2\x80\x99s statement detailing events. We also recommend that the ASO and ITM\ncollaborate to revise policies and procedures to ensure affected employees adequately\ndocument computer security incidents and submit the documentation to ITM. ITM should also\ninclude this requirement in its Computer Security Incident Policy.\n\n                                       RECOMMENDATIONS\n\nAs a result of our findings and the most recent computer incident, the ISSO submitted\nrecommendations to the CIO to address weaknesses found in ITM\xe2\x80\x99s computer incident policies\nand procedures. The recommendations included:\n\n1.    Encryption of information on all mobile computers/devices which carry Agency\n      information to ensure PII and sensitive information is not compromised.\n\n2.    Revising ITM\xe2\x80\x99s Computer Security Incident Policy to centralize the responsibility of\n      notifying all parties involved of lost or stolen equipment, including time requirements for\n      reporting incidents.\n\n3.    Developing and implementing the standard incident reporting form to include detailed\n      information on computer equipment lost or stolen.\n\n4.    Requiring users to sign for mobile/portable computer-related equipment (e.g., laptops)\n      and acknowledge responsibility for safeguarding equipment.\n\n\n\n                                                    7\n\x0c5.    Developing or revising the inventory system for tracking stolen equipment and include\n      status of encryption and whether PII or sensitive data is on equipment.\n\n6.    Developing and implementing procedures to ensure accuracy of inventory tracking\n      system.\n\n7.    Increasing users\xe2\x80\x99 knowledge on computer security incident reporting.\n\n\nIn addition to the ISSO recommendations, the OIG recommends:\n\n1. ITM assumes responsibility for notification and reporting of any computer-related incidents\n   as required by its policy.\n\n2. ASO and ITM collaborate to ensure that Agency directives and ITM\xe2\x80\x99s Computer Security\n   Incident Policy are consistent and implemented. The policies should clearly outline the\n   responsibility for notification to both external and internal parties by ITM for computer-\n   related equipment and ASO for non-computer-related equipment and building operations.\n   In addition, we recommend that the Agency ensures that the policies are communicated to\n   employees and contractors.\n\n3. ASO and ITM collaborate to develop and implement policies and procedures to prohibit the\n   assignment of any computer-related equipment by anyone other than authorized ITM\n   employees.\n\n4. ASO and ITM collaborate to develop and implement policies and procedures to ensure\n   documentation on all computer-related equipment classified as excess is maintained,\n   including the identification of the recipient organization.\n\n5. ITM include excess computer-related equipment in its inventory, in the year of excess, to\n   improve accountability and ensure that computer-related equipment is accurately\n   accounted for and documented.\n\n6. ITM, in cooperation with the ASO, develop and implement policies and procedures to\n   ensure that computer-related equipment issued to employees is adequately documented\n   and the employee\xe2\x80\x99s signature is included to acknowledge receipt.\n\n7. ITM documents the serial number of mobile/portable computer-related equipment on the\n   employee exit form to verify return of \xe2\x80\x9cassigned\xe2\x80\x9d equipment.\n\n8. ITM provide all users with physical security for laptops such as \xe2\x80\x9csecurity cable locks\xe2\x80\x9d and\n   ensure that users understand and acknowledge their responsibility for the security of\n   Agency computer-related equipment. We also recommend that ITM install anti-theft\n   software on laptops.\n\n\n                                               8\n\x0c9. ASO and ITM collaborate to revise Agency policies and directives to improve security\n   requirements for removing mobile/portable computer-related property, such as laptops and\n   communicate the requirements to NEA employees.\n\n\n\n\n10. ITM develop and implement policies and procedures to adequately document computer\n    security incidents. ITM should develop time requirements for investigating and reporting\n    computer security incidents. Written notification of computer-related incidents to\n    appropriate internal and external parties should be supported by Computer Incident\n    Reports and employee\xe2\x80\x99s statement detailing events.\n\n11. ASO and ITM collaborate to revise policies and procedures to ensure affected employees\n    adequately document computer security incidents and submit the documentation to ITM.\n    ITM should also include this requirement in its Computer Security Incident Policy.\n\n\n\n\n                                               9\n\x0c'